allocate
double free (leak the address)
rewrite (override second malloc)
dummy allocate
pwn allocate (got custom address region)
$$$
# allocate + double free
The free chunk points to itself!
# rewrite
Use the leak and write address+8 (effective hint address)
# dummy allocate
Get back the original chunk, pop it off the free list
# pwn allocate
Allocate a new chunk (with forged address) and write address
🔥🔥🔥